My Turn

February 01, 2014

The Cost of Security

In this issue of RSNA News, I draw your attention to the feature article describing some of the challenges radiologists face as a result of new HIPAA (The Health Insurance Portability and Accountability Act) rules that came into effect in fall 2013.

I think that everyone would agree that our campaign of always “keeping patients first” means protecting them. Their fundamental safety, of course, is the primary concern, but patients first also means respecting their privacy. When HIPAA became law in April 2003, most of us understood the concept if not exactly the letter of the law.

As an academic radiologist, I knew enough to make sure that patients’ names were blacked out on images being collected for didactic presentations and that we should refrain from discussing patients in the hospital elevators or cafeteria. But the restrictions imposed by HIPAA have farther reaching implications for handling Protected Health Information, or PHI, than most of us ever imagined.

With HITECH, the Health Information Technology for Economic and Clinical Health Act, which further spells out some serious consequences of mishandling PHI, things have become even more complicated.

The issues with HIPAA and HITECH underscore a general problem we’re facing today in America, namely how to maintain data security in what is rapidly becoming an exclusively digital society—where our economic transactions, communications and many services are available only online. We increasingly find ourselves targets of cyberattacks, whether on our personal identity or businesses. When we conduct transactions on “secure servers,” we rely on them to be secure knowing that no such thing truly exists.

For those of us who conduct our daily patient-related activities with the aid of our desktop computers, tablets and smartphones, our parent organizations require us to be protected by firewalls and load software onto our devices to manage and encrypt our data. These tactics absolve us of personal liability in the event of a data breech, but they come at a cost. Others now have access to what was once “our” data—including our own personal information stored on those devices—floating around in a cloud somewhere.

On the one hand, individuals need to be assured of their personal security, whatever aspect of it we might be discussing. The judicious use of technology can help with that security, but it’s easy to cross the fine line between watchfulness and invasion of privacy. In the era of big data, that balance point is increasingly less clear and the law of unintended consequences often brings us quickly from the cloud back down to earth.

Web Extras

David M. Hovsepian, M.D., is the editor of RSNA News. He is a professor of radiology in the Department of Radiology at Stanford University in California. He also serves on the RSNA Public Information Committee and the Public Information Advisors Network.